You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Saturday night I got a notice from my virus checker (Norton 2004) of a Trojan attack. I thought that it had been successfully blocked, but when I rebooted on Sunday I started getting the following popup about every 5 minutes (mispellings and all):

Windows Security AlertWarning! Potential Spyware Operation!Your computer is making unauthorized copies of your system and Internet files. Run full scan now to pervent any unathorised access to your files! Click YES to download spyware remover...

I also discovered that I am locked out of many administrative applications (e.g. task manager)

I followed the instructions in the Preparations Guide before posting to this forum, but I am still getting the popup and I am still locked out of administrative applications. I have pasted my HijackThis log below.

A few other notes which I hope are helpful:

I ran Adware 2007 5 times; it reported over 310 infections the first time and indicated that it had repaired them. However, the 3rd, 4th, and 5th times I ran it, it showed 118 infections each time, even though it indicated that it had repaired them each time. Also after running Adware, I started getting an error message each time I shut down stating that that reg.exe had failed to initialize with the following error code: 0xc0000142. Now, intermittantly on restart, Windows stalls at a blue screen with the Windows logo and "Please wait..." It eventually it gets past this and loads.

One of the virus checkers recommended in the Preparation Guide (I believe it was Housecall) indicated that I had worm_nucrp.gen and java_bytever.dl

BitDefender listed me as infected with a variety of trojan viruses: Trojan.Downloader.WinAntivirus.ATrojan.Exploit.Byteverify.VTrojan.Downloader.Java.Agent.ATrojan.Java.Downloader.DJava.Trojan.Exploit.BytverifyGeneric.Malware.SDYd!wdld.D7CFDC9BJava.Trojan.Femad.AJava.Trojan.Femad.BTrojan.Revop.ETrojan.Exploit.Byteverify.ACTrojan.Agent.AGEGDeepScan:Generic.Malware.SDYBd!wdld.FDAB348EGeneric.Qhost.16934822

Clearly, I'm a mess. I will be extremely grateful if someone can guide me out of this. (Or maybe I should just chuck the whole PC...)

BC AdBot (Login to Remove)

Addendum: I also ran Spybot as outlined in the Preparation Guide. After running it a few times (and rebooting between each scan) I got the same 5 problems detected each time. As with some of the other scanners, Spybot indicated that the problems were fixed, but each would reappear with each subsequent scan.

I ran SDFix as you instructed (took a couple tries to get into SafeMode - I was too slow on the F8). The SDFix report and new HijackThis logs are below.

A few notes:1) After the final reboot I got a Windows error which when I clicked on Send Error Report, it took me to a Microsoft webpage saying that I needed to download updates for Drive Letter Access (DLA) which was created by Sonic Solutions. I have never seen this before, and did not install the updates.2) I then got a prompt to install Elite Protector which I aborted.3) Next I got the following SpyBot notice (I denied the change):

4) Next, Norton blocked an attempt by antivirus.exe to access the internet.5) Finally, I am still getting the initial bogus Windows Security Alert.I don't know if any of that is relevant, but I wanted to let you know.

I see you are running Teatimer.Please disable it because it can interfere with the changes you'll make on your system.If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

Then, Download ResetTeaTimer.bat.Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

DisableNorton Antivirus while you run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use.Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

If you have used Combofix before, please delete the version you have and redownload it again, because Combofix is being updated everyday.

Disconnect from the Internet while running ComboFix.

Temporarily disable any anti-virus and anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results. Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

1. Download this file - combofix.exe to your Desktop. Note: It is important that it is saved directly to your desktop 2. Double click combofix.exe & follow the prompts. 3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix log and a fresh Hijackthis log in your next reply. Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to. Do NOT run ComboFix more than once. Note:Do not mouseclick combofix's window while it's running. That may cause it to stall Do not run Combofix more than once. In case you see a sed.cfexe error with the option to send a report or not, choose "don't send". The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Combofix should never take more that 20 minutes including the reboot if malware is detected. If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue. If that happened we want to know, and also what process you had to end.

If you have Norton Antivirus installed then disable script blocking so it will not interfere with the fix. Note that some versions of Norton Antivirus do not have script blocking.

To disable Norton Script blocking Service:

* Disable the Script Blocking Service: To open Services, click Start, point to Settings, and then click Control Panel. Double-click Administrative Tools, and then double-click Services. Find ScriptBlocking services, Right-click the service, and then click and then click Properties. On the General tab, under Startup, click Disabled. Under Service Status, click Stop button. Click Apply button.

I ran ComboFix as you instructed and I was pretty sure that I had turned off my modem before I ran ComboFix. However, when ComboFix finished running, rebooting and creating the log, I noticed that the modem was on. Will this corrupt the ComboFix Report? I have posted it and the new HijackThis logs below.

*NOTE*CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.

In the Windows Tab: ? Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.? Clean all the entries in the "Windows Explorer" section. ? Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts. ? Clean any others that you choose.

In the Applications Tab: ? Clean all including cookies in the Firefox/Mozilla section if you use it. ? Clean all in the Opera section if you use it. ? Clean Sun Java in the Internet Section. ? Clean any others that you choose.

4. Click the "Run Cleaner" button. 5. A pop up box will appear advising this process will permanently delete files from your system. 6. Click "OK" and it will scan and clean your system. 7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Click Start, then Run and type Notepad and click OK. Open notepad - don't use any other text editor than notepad or the script will fail.Copy/paste the text in the code box below into notepad:

SifuMike,
I have posted the Virus Total scans of the files you designated below.

As to not being able to see certain posts.... When I click on the link to the topic and scroll down, the last post I can see is your post of today at 08:53PM (first couple lines quoted below). Under your post of 08:53PM I can see my name, but I simply cannot scroll down any farther; the vertical slider is all the way at the bottom of the field.

"Hi mike_77,

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. "

In fact, to see your most recent post I had to view your profile and look at your recent posts (I had to do the same thing to see my own posts since you 8:53 post). Am I doing something incredibly stupid, like not clicking "Next Page?"

Hey! I am not getting that obnoxious pop-up anymore, and, unless I am becoming irrationally exuberant, I think the machine is running faster than when this whole debacle started!!!

I can see my name, but I simply cannot scroll down any farther; the vertical slider is all the way at the bottom of the field.

You are doing something wrong, as I can see everything you type. Press the "restore down" button (upper rt hand corner) , so the Window is smaller. Then use the bottom slider and slide it to the right so you can use the vertical slider bar.

Edited by SifuMike, 18 December 2007 - 11:03 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

I ran the additional files you suggested and posted the results below, including the two that you initially requested (I had Virus Total Reanalyze them).

I restored down as you suggested, but I still cannot scroll to the bottom of the topic. I tried a couple of the other topics and I am be able to scroll all the way to the bottom. I have attached a screenshot of the bottom of this topic as it appears on my screen. I am sure I doing something dumb, I just don't know what.